~> **Note**: Starting in Vault 1.12, only the `pkcs7` login flow with the AWS
   [`/rsa2048` signature endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-rsa2048.html)
   credentials will work by default due to the deprecation of SHA-1-based signatures.
   Please see [the deprecation FAQ](/vault/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1)
   for more details and a workaround.
